Portainer is often deployed quickly using the standard installation scripts. Once it is running, many users want to make Portainer accessible from the public internet, typically by:
- Forwarding ports 9000 (HTTP) or 9443 (HTTPS) from a public IP to the Portainer host
- Deploying a reverse proxy and exposing Portainer through a subdomain
Before doing this, it is important to understand that Portainer has extremely high privileges within your container environment. In many cases it has near root-level control over your infrastructure. Because of this, exposing Portainer to the internet should be done carefully and with proper security controls in place.
This guide outlines the recommended steps for securely exposing Portainer externally.
1. Consider using a VPN instead
Before exposing Portainer publicly, consider whether external access is actually required.
A VPN-based approach allows administrators to securely access Portainer without exposing the service to the internet. This greatly reduces the attack surface and is generally the preferred approach for production environments.
If you decide to expose Portainer publicly, the following security practices are strongly recommended.
2. Secure the Administrator account
The initial administrator account created during deployment is the most privileged account in Portainer.
If this account is compromised, an attacker could gain full control of your container infrastructure.
Ensure the administrator account has a password that:
- Is long and complex
- Does not contain dictionary words
- Is stored securely in a password manager
If the password does not meet these requirements, change it immediately.
3. Configure external authentication
When exposing Portainer to the internet, authentication should be handled by a secure external identity provider rather than Portainer's internal authentication system.
Supported authentication methods include:
- LDAP
- OAuth (recommended when MFA or 2FA is required)
See the following documentation for further details on this:
If you are a Portainer Business Edition customer and require assistance, contact Portainer support for configuration guidance.
4. Avoid using internal authentication for public access
Portainer's internal authentication system is intended for non-production or demonstration environments.
If Portainer is accessible from the public internet and internal authentication is used:
- Every user must have a strong, non-dictionary password
- Weak passwords may eventually be compromised through brute-force attempts
Portainer includes rate limiting to reduce brute-force attacks, but strong passwords remain essential.
5. Use HTTPS only
Portainer introduced native HTTPS support in 2021.
Recommended configuration:
- Use HTTPS on port 9443
- Do not expose port 9000 (HTTP)
If your deployment still uses port 9000, upgrade to a newer version of Portainer and switch to HTTPS.
Always run the latest available version of Portainer to ensure you have the most recent security improvements.
6. Restrict network access
If Portainer is accessible from the internet, firewall restrictions should always be applied.
Recommended practices:
- Allow access only from trusted IP addresses
- Use firewall ACLs to restrict inbound access
- Consider geoblocking regions where access is not required
Avoid allowing unrestricted access such as:
0.0.0.0/0
This configuration exposes Portainer to automated scanning and brute-force attacks.
7. Ensure persistent storage is configured
Portainer stores configuration data on a persistent volume.
If you are running Portainer in a clustered environment, ensure the volume:
- Is shared across nodes
- Remains accessible if Portainer is rescheduled to another node
If the persistent volume is unavailable during a restart, Portainer may start in an unconfigured state, which could introduce security risks.
Summary
When exposing Portainer to the internet, follow these core security practices:
- Prefer VPN access over public exposure
- Use a strong administrator password
- Configure LDAP or OAuth authentication
- Avoid relying on internal authentication
- Use HTTPS on port 9443
- Restrict access using firewall ACLs
- Ensure persistent storage is correctly configured
Taking these precautions significantly reduces the risk of unauthorized access and helps protect your container infrastructure.
For more information, refer to the official Portainer documentation.
Try Portainer with 3 Nodes Free
If you're ready to get started with Portainer Business, 3 nodes free is a great place to begin. If you'd prefer to get in touch with us, we'd love to hear from you!
